An Enhanced MQTT Communication Protocol for Privacy Preservation in Industrial Internet of Things (IIoT) Systems

Abstract

This paper addresses the security shortcomings of MQTT in Industrial IoT by designing, implementing, and evaluating a secure MQTT prototype that balances confidentiality, integrity, and usability. Using an Object Oriented Analysis and Design Methodology (OOADM) guided by UML artifacts, the work decomposes the system into modular classes and enforces layered security aligned with the OSI and client–server models. Implemented in Python with Tkinter GUIs and Mosquitto as the MQTT broker, and supporting libraries (paho-mqtt, pycryptodome, bcrypt, hashlib, base64, socket) for secure messaging, encryption, authentication, and IP tracking. MQTT Explorer was used for real-time visualization of message flows, encryption consistency, and topic activity. The system integrates cryptographic techniques such as AES CBC encryption with random IVs, HMAC SHA256 integrity checks, bcrypt password hashing, and an OTP email verification/recovery flow (Gmail SMTP). Role Based Access Control, account lockout policies, and audit logging (user, role, IP, timestamp, message state) provide operational safeguards. Experimental deployment and validation were conducted in a controlled virtual environment. Kali Linux running in VirtualBox provided the platform for penetration testing, and the subscriber was executed on a Kali instance in UserLAnd with GUI access through R VNC to emulate a realistic IIoT endpoint. Security evaluation and Penetration tools included: John the Ripper for offline password cracking, Bettercap for man-in-the-middle (MITM) testing and traffic manipulation, Wireshark for packet capture and protocol analysis, and Nmap/Zenmap for port and service enumeration. These tools verified the system’s resilience against common attacks, including unauthorized topic publishing, credential compromise, and message interception. Results demonstrate that plaintext MQTT (1883) is trivially intercepted and modifiable while TLS (8883) prevents passive decryption without trust compromise, and that the combined cryptographic and access control measures significantly reduce practical attack surfaces for IIoT deployments.